If you don't currently have a hardware firewall instead of using a hacked together product like ISA, why not spend $650 on a Cisco ASA 5505?
Printable View
If you don't currently have a hardware firewall instead of using a hacked together product like ISA, why not spend $650 on a Cisco ASA 5505?
Is like like a device that runs software to act as a firewall????Quote:
hardware firewall
Did you read the title of the thread???
:rolleyes:
MLF
You could make this statement with lots of hardware, and with his vpn and the cisco client, i think it would be a better assumption for him to get a PIX instead.Quote:
Originally posted here by Net2Infinity
If you don't currently have a hardware firewall instead of using a hacked together product like ISA, why not spend $650 on a Cisco ASA 5505?
edit: Anyways, i guess there shouldn't be any more assumptions untill the OP replys with some information.
I dont think there was any indication that he wasn't going to use the ISA for auth. As for the VPN client, i would guess he wants to setup a vpn between the remote site and his isa / cisco router.Quote:
Yes the original poster needs to supply more info....and if he doesnt use the ISA for authentication...and doesnt want to use the cisco VPN client...........then I guess anyone coming in through the router will have access to the the internal network.....
This is obviously way over my head :cool:
MLF
lol, well this is my understanding. Right now, his users connect to an ISA server (proxy, firewall, whatever). To access a VPN intranet, they have to use a Cisco VPN client (just a normal vpn, but it's used for cisco hardware). He wants to either 1.) setup a VPN from the ISA server to the Cisco equipment that the VPN is running through, or 2.) setup a VPN from cisco router -> cisco equipment.Quote:
Setting up the VPN on the ISA server is very simple, but unless you explain what ISA version you're using (2000 from the link, but that may just be for reference) then there isnt much i can do.
The PIX is esentially a router, firewall, and vpn solution in one. It's just like a router, as it has access lists to control information and translations / fixup to foward ports / protocols. The ASA the other person linked is esentially a complete security appliance. The only reason i could see him linking that is because of what he has heard / read on other forums about ISA server.
Thanks Zunger...
I WAS joking.............. ;)
Back to the question...what is the question????
Net2Infinity
Its not the application\device.....its the configuration and administration that makes them flawed....
MLF
Ok, well just guessing from the information in the orginal post, I would say that ISA is going to be used as the network gateway. I am no expert at ISA server, but I have set it up on a number of Small Business servers.
The configuration should be set up so that all users have to go out via the ISA server. Meaning that they shouldnt have direct access to the ASDSL router, or any hardware firewall/gateway.
Typically this is done via two NIC's in the ISA server, one for intranet, one for internet usage. All workstation get pointed to the ISA server for external access. The second NIC is configured as the local gateway. All incomming traffic (VPN) gets passed thru the ASDSL router, thru any hardware firewall, and authorized via the ISA VPN client. In most cases, ISA server acts like a hardware firewall, via the second NIC. There really isnt any reason to use both the router VPN and the ISA VPN.
Of course if you have youre gateway attached directly to the same switch as your LAN, then users can easily bypass all the ISA settings and security.
ISA server isnt junk, and lots of companies use it. It wasnt "hacked together".
Ok .......... looks like perhaps I need to give some more clarity on request.
One client has 2 sites
SITE A
----------
Cisco Router 877
ADSL Internet
Windows Client Computers
SITE B
-----------
Cisco Router 877
ADSL Internet
Windows Client Computers
Windows Server
ISA Server
SITE needs to access services on SITE B using the ADSL connection through the Internet. The other thing to remember is that BOTH sites IP Addresses will be DYNAMIC because they connect via ADSL network.
The ISA Server is connected to SITE B. We need SITE A to access services such as exchange, sharepoint, shared folders and certain business applications at SITE B.
We need to minimise cost so client wants ADSL and not diginet between 2 sites. They will not be making use of any VPN clients eg. Cisco VPN client. We need to create a LAN across a WAN using ADSL connectivity. The piece of software we have to configure this is an ISA server at B. ISA Server 2004 has been configured on a w2k3 Server box.
This server also needs to be configured to access services on my network. I also have business application required by the client.
I hope this info will clear things up a little bit.
Please help ......me running out of time................ :(
Sounds to me like you need a VPN. First thing you're going to need is some type of Dynamic DNS to setup a hostname to an IP. Im not sure of any, but i would bet someone else on these forums could help you there.
Of what i can see, the 87x series allows VPN's, so you're easiest / most secure way would be to go into the SDM and configure the VPN that way, instead of through the ISA server.
edit: Take a quick look through some of this - http://www.cisco.com/en/US/products/...tion_home.html
I would guess your 877 should have it.Quote:
Cisco Easy VPN Remote is now available on Cisco 800
I agree with the VPN between the two 800 series routers to address your connectivity issue. However, be aware that your connection speed will be the upstream speed of the DSL circuits.Not to mention you will have to share this 256k pipe with everyone that is surfing the internet at the locations.
In addition I find it odd that I got "Negd" for supposedly seeing products instead of answering the question. I contributed by offering a different solution to the posed problem, I am sorry that you took offense to my solution. I don't see anywhere that I indicated that I would sell anybody anything. Anyways, any self respecting security professional wouldn't run any firewall on any Microsoft platform.